Artifact Registry Service Agent

The Artifact Registry Service Agent acts on behalf of Artifact Registry when interacting with Trusted Cloud by S3NS services.

After you create the first Artifact Registry repository in a Trusted Cloud project, the Artifact Registry Service Agent is automatically created. The service agent identifier is:

service-PROJECT-NUMBER@gcp-sa-artifactregistry.s3ns-system.iam.gserviceaccount.com

PROJECT-NUMBER is the project number of the Trusted Cloud project where Artifact Registry is running.

You can manually create the service account in a project without any repositories with the command:

gcloud beta services identity create \
    --service=artifactregistry.s3nsapis.fr \
    --project=PROJECT-ID

Replace PROJECT-ID with the Trusted Cloud project ID.

The Artifact Registry Service Agent is granted the Artifact Registry Service Agent role (roles/artifactregistry.serviceAgent) for resources in the project. To enforce the security principle of least privilege, the role only has the minimum required permissions:

  • Publish Pub/Sub topics: pubsub.topics.publish
  • Download artifacts from Artifact Registry repositories: artifactregistry.repositories.downloadArtifacts
  • Delete artifacts: artifactregistry.versions.delete

What's next

Learn about Artifact Registry roles and configuring access to repositories.